Use the untrusted flow when buildpacks are added to a trusted builder

Fixes /~https://github.com/buildpacks/pack-private/issues/21 Signed-off-by: Natalie Arellano <narellano@vmware.com>
buildpacks · May 2, 2024 · 1ab72dd · 1ab72dd
1 parent 32563a6
commit 1ab72dd
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 3 deletions.
diff --git a/pkg/client/build.go b/pkg/client/build.go
@@ -400,6 +400,10 @@ func (c *Client) Build(ctx context.Context, opts BuildOptions) error {
 	// Get the platform API version to use
 	lifecycleVersion := bldr.LifecycleDescriptor().Info.Version
 	useCreator := supportsCreator(lifecycleVersion) && opts.TrustBuilder(opts.Builder)
+	if useCreator && hasAdditionalModules(opts) {
+		c.logger.Warnf("Builder is trusted but additional modules were added; using the untrusted (5 phases) build flow")
+		useCreator = false
+	}
 	var (
 		lifecycleOptsLifecycleImage string
 		lifecycleAPIs               []string
@@ -703,6 +707,11 @@ func (c *Client) Build(ctx context.Context, opts BuildOptions) error {
 	return c.logImageNameAndSha(ctx, opts.Publish, imageRef)
 }
 
+func hasAdditionalModules(opts BuildOptions) bool {
+	return !(len(opts.Buildpacks) == 0 && len(opts.Extensions) == 0 &&
+		len(opts.PreBuildpacks) == 0 && len(opts.PostBuildpacks) == 0)
+}
+
 func extractSupportedLifecycleApis(labels map[string]string) ([]string, error) {
 	// sample contents of labels:
 	//    {io.buildpacks.builder.metadata:\"{\"lifecycle\":{\"version\":\"0.15.3\"},\"api\":{\"buildpack\":\"0.2\",\"platform\":\"0.3\"}}",

diff --git a/pkg/client/build_test.go b/pkg/client/build_test.go
@@ -2112,9 +2112,6 @@ api = "0.2"
 							h.AssertEq(t, args.PullPolicy, image.PullAlways)
 							h.AssertEq(t, args.Platform, "linux/amd64")
 						})
-						it("uses the api versions of the lifecycle image", func() {
-							h.AssertTrue(t, true)
-						})
 						it("parses the versions correctly", func() {
 							fakeLifecycleImage.SetLabel("io.buildpacks.lifecycle.apis", "{\"platform\":{\"deprecated\":[\"0.1\",\"0.2\",\"0.3\",\"0.4\",\"0.5\",\"0.6\"],\"supported\":[\"0.7\",\"0.8\",\"0.9\",\"0.10\",\"0.11\",\"0.12\"]}}")
 
@@ -2154,6 +2151,32 @@ api = "0.2"
 							args := fakeImageFetcher.FetchCalls[fakeLifecycleImage.Name()]
 							h.AssertNil(t, args)
 						})
+
+						when("additional buildpacks were added", func() {
+							it("uses the 5 phases with the lifecycle image", func() {
+								additionalBP := ifakes.CreateBuildpackTar(t, tmpDir, dist.BuildpackDescriptor{
+									WithAPI: api.MustParse("0.3"),
+									WithInfo: dist.ModuleInfo{
+										ID:      "buildpack.add.1.id",
+										Version: "buildpack.add.1.version",
+									},
+									WithStacks: []dist.Stack{{ID: defaultBuilderStackID}},
+									WithOrder:  nil,
+								})
+
+								h.AssertNil(t, subject.Build(context.TODO(), BuildOptions{
+									Image:        "some/app",
+									Builder:      defaultBuilderName,
+									Publish:      true,
+									TrustBuilder: func(string) bool { return true },
+									Buildpacks:   []string{additionalBP},
+								}))
+								h.AssertEq(t, fakeLifecycle.Opts.UseCreator, false)
+								h.AssertEq(t, fakeLifecycle.Opts.LifecycleImage, fakeLifecycleImage.Name())
+
+								h.AssertContains(t, outBuf.String(), "Builder is trusted but additional modules were added; using the untrusted (5 phases) build flow")
+							})
+						})
 					})
 
 					when("lifecycle doesn't support creator", func() {